At SxSW today, I attended the Transforming Hospital Systems: The Digital Future of Healthcare panel. In it, we got a pitch from the Microsoft representative for their entry into the electronic medical records field, Microsoft HealthVault.
I asked him the following question, which I admit was kind of tough:
“Microsoft operating systems and software are famously insecure, and Microsoft itself has the unfortunate reputation for being a corporate predator. What is Microsoft doing to win the trust of medical consumers, and show them that Microsoft would be a good steward of their private medical information?”
His answer was disappointing. He admitted that Microsoft has had problems in the past, but claimed that the premise of my question was based on outdated information about the security of Microsoft products. He didn’t provide an answer about what proactive steps Microsoft was taking to reassure people about the safety of their medical data.
In my view, merely asserting that security problems are a thing of the past, then in effect asking for the public’s trust, is woefully insufficient. We still often hear reports of malware and security breaches in Microsoft products. And many people (I’m not one of them, btw) believe that Microsoft is just plain evil; bland assurances of safety will not cut the mustard.
Another issue wasn’t dealt with in the panel, and I can’t find a mention of it on the HealthVault site, either. That’s the Roach Motel problem, where your data checks in, but it never comes out of the Microsoft system. In the past, Microsoft has been infamous for that kind of lock-in, implemented through proprietary formats and by providing no tools for extracting data. According to the site’s privacy statement, you can delete your account and personal information, but there’s no mention of ways to get the data â€” your data â€” out of the HealthVault system, should you choose to switch to another electronic medical records system.
It’s clear that all of these systems, from Microsoft, Google, or others, must be required to have an interchange format that all of them can read and write. That’s obviously something that would need to be mandated by the government, and possibly regulated, too.
Without a much better answer for health information security, and without knowing how my medical records can be made portable, there’s no way I’d be interested in using HealthVault. A name that merely connotes security is no substitute for real security.